 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / January 2007is it possilbe to secure a database against the local admin?
Since local admin has full control on local file, so he can always use detach, copy and attach to access the database contained in the db files. Thus it is immpossible to seperate the role of computer admin with the dba role, am I right? Anyone has any idea on this? Thx I don't think , sysadmin can navigate to the db files path and do everything. But why do you think that he/she will do that without notify a database sministratot? I think it is more company policies > Since local admin has full control on local file, so he can > always use detach, copy and attach to access the database contained in the > db files. Thus it is immpossible to seperate the role of computer admin > with > the dba role, am I right? Anyone has any idea on this? Thx It's probably impossible to completely secure the database from a system admin but here are some steps to make it harder: 1) In SQL - remove the BUILTIN\Administrators. (this is probably the single biggest thing you can do). If this group is removed from SQL then any local administrators will NOT have access to SQL Server and therefore can not use the 'detach' process to copy the data file. 2) Secure your 'sa' password. (2nd biggest thing you can do). hth > Since local admin has full control on local file, so he can > always use detach, copy and attach to access the database contained in the > db files. Thus it is immpossible to seperate the role of computer admin with > the dba role, am I right? Anyone has any idea on this? Thx > It's probably impossible to completely secure the database from a > system admin but here are some steps to make it harder: [quoted text clipped - 4 lines] > administrators will NOT have access to SQL Server and therefore can not > use the 'detach' process to copy the data file. But he can stop the service and then copy the files.  SignatureErland Sommarskog, SQL Server MVP, esquel@sommarskog.se Books Online for SQL Server 2005 at http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx Books Online for SQL Server 2000 at http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx >> It's probably impossible to completely secure the database from a >> system admin but here are some steps to make it harder: [quoted text clipped - 6 lines] > > But he can stop the service and then copy the files. It is possible to deny file system access to any user or group, including Administrator/Administrators -- you can't keep an admin from taking ownership and granting himself access, but you can tell if this has been done, admin cannot revert/reset ownership after having taken it. (Corporate policy must take over from there.) -Mark Thanks. This sounds like a better solution. Perhaps those stuff in sql 2005 like encryption, certicates etc. can be used. > >> It's probably impossible to completely secure the database from a > >> system admin but here are some steps to make it harder: [quoted text clipped - 14 lines] > > -Mark http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx > > Books Online for SQL Server 2000 at > > http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.